SECURITY(low): removed localhost A and AAAA records

Version 1.5


Removed the localhost A and AAAA records from dns_a.conf and dns_aaaa.conf, so it's not added with new records. Report that it could contribute towards a bypass of RFC2109 on a system where multiple Users can browse physically from this box. Security issue only applies where you use a browser that is physically running on the same box as apache. Basically it won't affect you unless your own desktop is also your server, and and you don't trust someone who is physically using the desktop login (almost 0% chance) This change does not affect existing records. If you wish to remove all localhost records from all domain db files, you can use this regex. Be sure to backup the zones first: cd /var/named tar cvzf /root/zones.tar.gz *.db Then remove the values: perl -pi -e 's#^localhosts.*n##' *.db And lastly, bump up the serial, and trigger any MSS rewrites: echo "action=rewrite&value=named" >> /usr/local/directadmin/data/task.queue Note this shouldn't affect your file, even if it ends in a .db because it should be "localhost." with a trailing dot, and the regex doesn't remove that.

Interested to try DirectAdmin? Get a 30-day Free Trial!